Search
Clear search
Close search
Google apps
Main menu

Manage your app signing keys

With Google Play App Signing, you can securely manage your app signing keys for new or existing apps. Keys are stored on the same secure infrastructure Google uses to store its own keys.

About Google Play App Signing

Without Google Play App Signing: You sign the app with your app signing key, upload your app to Google Play, and then your app is delivered to the user.

With Google Play App Signing: You sign your app with your upload key. Then, Google verifies and removes the upload key signature. Finally, Google re-signs the app with the original app signing key you provided and delivers your app to the user.

Important: App Signing opt-in is permanent

Google Play App Signing is an optional program. If you prefer, you can continue managing your own keys.

Once you've enrolled your app in Google Play App Signing, withdrawal is not supported. To preserve the security of your app signing keys, we don't have the ability to remove keys from the secure server.

Types of keys & important definitions

  • App signing key: The key used to sign the APK that's on a user's device. You currently hold the app signing key and use it to sign your APKs. When you complete the program sign-up flow you will upload this key to Google.
  • Upload key: A new key you generate during your enrollment in the program. You will use the upload key to sign all future APKs prior to uploading them to the Play Console.
  • Private Key: For APK signatures, this is the key used to sign the APK. The private key must be kept secret.
  • Public Key: For APK signatures, this is the key used to verify the signature of an APK. The public key can be visible to everyone.
  • Certificate: A certificate contains a public key as well as some extra identifying information about who owns the key.
  • PEPK tool: Play Encrypt Private Key is a tool for exporting private keys from a Java Keystore and encrypting private keys for transfer to Google Play as part of enrolling in Google Play App Signing.

Tips & best practices

  • To protect your developer account, we recommend you turn on 2-Step Verification for all accounts with access to your Play Console.
  • If you want to test the APK signed with the upload key, you may want to register the upload certificate in the Google Cloud Console for your app.

New apps

Step 1: Create an upload key
  1. To create an upload key for new apps, follow the instructions on sign your app.
  2. Sign your new APK with the upload key.

About your upload key

  • Your upload key is only registered with Google and is used to authenticate the identity of the app creator.
  • Your signature is removed from any uploaded APKs before being sent to users.
  • To request a reset to your upload key, contact us.

Upload key restrictions

  • The upload key must be an RSA key that's 2048 bits or more.
  • The following aren't supported: DSA keys, EC keys, or RSA keys that are less than 2048 bits.
Step 2: Prepare your release

Prerequisite: If you're a Play Console account owner, you can opt in to Google Play App Signing. You'll need to accept the Terms of Service once per developer account. Once you've accepted the terms, you can enroll individual apps into the program.

  1. Go to your Play Console.
  2. Select an app.
  3. On the left menu, select Release management > App releases.
  4. Next to "Google Play App Signing," select Accept.
Step 3: Upload your signed app
  1. Follow the steps to prepare & rollout a release.
  2. Before the app is delivered to users, Google Play will remove your upload key signature and re-sign with a new key.

To find the certificate of the key Google uses to re-sign your APK for delivery:

  1. Sign in to your Play Console.
  2. Select an app.
  3. On the left menu, click Release management > App signing.

Existing apps

Step 1: Opt into the program

Prerequisite: If you're a Play Console account owner, you can opt in to Google Play App Signing. You'll need to accept the Terms of Service once per developer account. Once you've accepted the terms, you can enroll individual apps into the program.

To opt-in an app:

  1. Sign in to your Play Console.
  2. Select an app.
  3. On the left menu, click Release management > App signing.
  4. Review the Terms of Service and select Accept.
Step 2: Send your original key to Google & create an upload key

To upload your original key to Google Play and create an upload key:

  1. Find your original app signing key.
  2. Sign in to your Play Console.
  3. Select an app.
  4. On the left menu, click Release management > App signing.
  5. Follow the on-screen instructions to transfer your original app signing key, generate an upload key, and register the upload key with Google.
  6. On the next screen, you'll be shown a fingerprint of your app's certificate.

About your upload key

  • Your upload key is only registered with Google and is used to authenticate the identity of the app creator.
  • Your upload key is removed from any uploaded APKs before being sent to users.
  • To request a reset to your upload key, contact us.

Upload key restrictions

  • The upload key must be an RSA key that's 2048 bits or more.
  • The following aren't supported: DSA keys, EC keys, or RSA keys that are less than 2048 bits.
Step 3: Update your keystores

After you create an upload key, update your keystores. For example, you may want to check the following locations:

  • Local machine
  • Locked on-site server (varying ACLs)
  • Cloud machine (varying ACLs)
  • Dedicated secrets management services
  • (Git) repositories
Step 4: Sign your next app update with the upload key

All updates to your existing app must now be signed with your upload key. This will allow Google to verify your identity. Google will re-sign your APK before delivering the update to users. 

To find your app's upload key: 

  1. Sign in to your Play Console.
  2. Select an app.
  3. On the left menu, click Release management > App signing.

Modifications to your APK

Apps that are signed by Google will have a “derived APK ID” written into their AndroidManifest.xml file. You'll see a meta-data element added under the application tag that references <meta-data android:name="com.android.vending.derived.apk.id" android:value="[ID]" />.

This ID is the identifier of the modified APK and will be reported in the usual bug reporting tools. You can use the derived APK ID to recognize a specific APK that was delivered by Play.

To download the Google Play signed APK in your Play Console, go to Release managementArtifact library.

Was this article helpful?
How can we improve it?